package com.qijia.common.security;

import java.util.Collection;  
import java.util.Iterator;  

import org.apache.log4j.Logger;
import org.springframework.security.access.AccessDeniedException;  
import org.springframework.security.access.ConfigAttribute;  
import org.springframework.security.authentication.InsufficientAuthenticationException;  
import org.springframework.security.core.Authentication;  
import org.springframework.security.core.GrantedAuthority;  

public class AccessDecisionManager implements org.springframework.security.access.AccessDecisionManager {  
	
    /** 
     * Logger for this class 
     */  
    private static final Logger logger = Logger.getLogger(AccessDecisionManager.class);

    // In this method, need to compare authentication with configAttributes.  
    // 1, A object is a URL, a filter was find permission configuration by this  
    // URL, and pass to here.  
    // 2, Check authentication has attribute in permission configuration  
    // (configAttributes)  
    // 3, If not match corresponding authentication, throw a  
    // AccessDeniedException.  
//    public void decide1(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {  
//        System.out.println("驗證");
//        
//    	if (logger.isDebugEnabled()) {  
//            logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - start"); //$NON-NLS-1$  
//        }  
//        if (configAttributes == null) {  
//            if (logger.isDebugEnabled()) {  
//                logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$  
//            }  
//            System.out.println("空值");
//            return;  
//        }  
//        System.out.println("正在访问的url是："+object.toString());  
//        if (logger.isDebugEnabled()){  
//            logger.debug("正在访问的url是："+object.toString());  
//        }  
//        Iterator<ConfigAttribute> ite = configAttributes.iterator();  
//        while (ite.hasNext()) {  
//            ConfigAttribute ca = ite.next();  
//            System.out.println("needRole is："+ca.getAttribute());  
//            String needRole = ((SecurityConfig) ca).getAttribute();  
//            for (GrantedAuthority ga : authentication.getAuthorities()) {  
//            	System.out.println("/t授权信息是："+ga.getAuthority());  
//                if (needRole.equals(ga.getAuthority())) { // ga is user's role.  
//                	System.out.println("判断到，needRole 是"+needRole+",用户的角色是:"+ga.getAuthority()+"，授权数据相匹配"); 
//                    if (logger.isDebugEnabled()) {  
//                        logger.debug("判断到，needRole 是"+needRole+",用户的角色是:"+ga.getAuthority()+"，授权数据相匹配");  
//                        logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$  
//                    }  
//                    return;  
//                }  
//            }  
//        }  
//        throw new AccessDeniedException("没有权限");  
//    }  
    
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
    	if(configAttributes == null) {
			return;
		}
		//所请求的资源拥有的权限(一个资源对多个权限)
		Iterator<ConfigAttribute> iterator = configAttributes.iterator();
		while(iterator.hasNext()) {
			ConfigAttribute configAttribute = iterator.next();
			//访问所请求资源所需要的权限
			String needPermission = configAttribute.getAttribute();
			System.out.println("needPermission is " + needPermission);
			//用户所拥有的权限authentication
			for(GrantedAuthority ga : authentication.getAuthorities()) {
				if(needPermission.equals(ga.getAuthority())) {
					return;
				}
			}
		}
		//没有权限让我们去捕捉
		throw new AccessDeniedException(" 没有权限访问！");
	}
    
    public boolean supports(ConfigAttribute attribute) {  
        // TODO Auto-generated method stub  
        return true;  
    }  
    public boolean supports(Class<?> clazz) {  
        return true;  
    }  
} 